RollJam: This $50 'Universal Remote' Unlocks All Kinds Of Car Doors

Security
I cover crime, privacy and security in digital and physical forms.

With just two radios, a microcontroller and a battery, all purchasable over
eBay for less than $50, independent researcher Samy Kamkar has created something wonderfully villainous. His so-called RollJam exploits digital keys and unlocks cars almost at will. In recent weeks, he’s done just that on his own Lotus Elise models from 2005 and 2007, as well as some Toyotas, a Cadillac and the Cobra alarm keys used by a number of vehicles.

The RollJam takes advantage of a design flaw in the protocol that determines how keys communicate with cars. It intercepts “rolling codes”, the one-time authentication codes exchanged by car and key that change with each lock and unlock. Because there’s no timeout on the codes, RollJam can intercept them to ensure they never reach the car, and so can be used later on. Even where the device only collects lock codes, Kamkar claims to have developed a method that can convert them into unlock codes. “I can flip some information around within the signal,” he said.

The researcher, who will show off his exploits at the DEF CON conference in Las Vegas this Friday, said his creation was essentially meant to be car agnostic, unlocking “many different types of cars in makes and models... it’s like a universal remote”. “On my car where I have time to look at the signal or chip, I can see the difference between lock and unlock and my device can alter it live,” he told FORBES.

RollJam can intercept and reverse car and garage locks. It only costs about $60 to make too.

For anyone who wants to get close-to permanent access to others’ cars, Kamkar said it would be wise to use two RollJams, sticking one under the targeted car and using another in a place where the vehicle is commonly parked to communicate wirelessly with the hidden device. To date, he has mainly been testing the National Semiconductor NM95HS02 "High Security Rolling Code" chip in his Lotus. He’s also been exploiting the KeeLoq chip used by garage locks, potentially allowing access into people's homes.

There is one barrier to his attacks: Kamkar has to research each kind of chip used by different cars. “I have to implement each chip, then it works across any vehicle using that chip - typically several models across a few years. Each chip implements how it sends button presses differently so generally my device sniffs and replays (while performing the jam/intercept)."

Kamkar has frequently used cheap and dirty techniques to expose moving technologies, including drones and modern vehicles. Just last week, he showed off exploits of the GM OnStar app to track and unlock the manufacturer's vehicles. GM subsequently issued a patch.

Given the chips Kamkar is exploiting aren't updatable over-the-air, there's little users can do to prevent RollJam from unlocking their vehicles. For the paranoid, it might be worth doing quick checks of the car to ensure a hacker hasn't sneakily connected a RollJam or similar device to their vehicles. "Drivers would have to use a physical key, or simply be very cautious when using remote [keys] and pay careful attention if the button didn't work," Kamkar added.

As for manufacturers, they could use a timer to sync remote keys and the car so the code would only be good at a specified time, he added. He believes the KeeLoq chip was improved to do just that. Alternatively, the verification could be improved to guarantee the authenticity of the codes, or have them cease to work after a given time.

UPDATE: Toyota responded to a request for comment with the following over email: "We're committed to addressing security challenges that are facing the entire industry. We can’t comment specifically on these claims without more information on the alleged entry method or which models or model year vehicles might be affected. However, as always, Toyota recommends that all valuables or other personal items are removed from a vehicle when it is left unattended."